[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign

[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

[ v3_req_apiserver ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names_cluster

[ v3_req_etcd ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names_etcd

[ alt_names_cluster ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.{{ ClusterDomain }}
DNS.5 = localhost
IP.1 = {{ KubernetesClusterSVCIP }}
IP.2 = 127.0.0.1
{% for host in groups['all'] %}IP.{{ loop.index + 2 }} = {{ hostvars[host].inventory_hostname }}
{% endfor %}
{% if groups['master'] | length !=1 %}IP.{{ groups['all'] | length + 3}} = {{ VIP }}{% endif %}

[ alt_names_etcd ]
DNS.1 = localhost
IP.1 = 127.0.0.1
{% for host in groups['etcd'] | union(groups['master']) %}IP.{{ loop.index + 1 }} = {{ hostvars[host].inventory_hostname }}
{% endfor %}
